Better User Authentication - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Better User Authentication

Description:

ZIP CODE[pz]=CAMPUS. TELEPHONE[pt]=614-728-3600. UNIQUE NO[ps]=391* S/N[pu]=391 ... on system (SSO): performs check against user directory for a valid login ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 23
Provided by: ThomasD9
Category:

less

Transcript and Presenter's Notes

Title: Better User Authentication


1
Better User Authentication
  • WILSWorld 2004July 28, 2004
  • Thomas Dowlingtdowling_at_ohiolink.edu
  • http//sienna.ohiolink.edu/tdowling/presentations
    / ? ww2004/auth.ppt

2
Starting From This
  • I am
  • Chris Jones UWSP student number 62-3407 home
    phone number 715-555-1234 e-mail
    chris.jones_at_uwsp.edu
  • Currently enrolled UWSP student undergraduate
    psychology major enrolled in Psych 402 senior
    seminar

3
We Want This
  • Unambiguous mechanism that
  • Demonstrates you really a member of an
    appropriate group (UWSP student, enrolled in Psyc
    402, etc.)
  • Works securely
  • Protects your privacy
  • Indicates you are a human being?

4
Not This
  • EXP DATEp4309-30-04
  • RANKp44v
  • CAMPUSp45a
  • DEPTp460
  • P TYPEp475
  • TOT CHKOUTp4813
  • TOT RENWALp491
  • CUR CHKOUTp500
  • HOME LIBRp53none
  • PMESSAGEp54
  • MBLOCKp56-
  • REC TYPEp80p
  • RECORD p811383699
  • REC LENGp82252
  • CREATEDp8308-12-99
  • UPDATEDp8401-07-04
  • REVISIONSp85100
  • AGENCYp861
  • CL RTRNDp950
  • MONEY OWEDp960.00
  • BLK UNTILp101 - -
  • CUR ITEMAp1020
  • CUR ITEMBp1030
  • PIUSEp1040
  • OD PENALTYp1050
  • ILL REQUESp1220
  • CIRCACTIVEp16308-14-03
  • PATRN NAMEpnDOWLING, THOMAS P.
  • ADDRESSpaOHIOLINK2455 N STAR RDSUITE 300VIA
    U.S. CARGO
  • ZIP CODEpzCAMPUS
  • TELEPHONEpt614-728-3600
  • UNIQUE NOps391
  • S/Npu391

5
A Side Trip to CAPTCHAs
Completely Automated Public Turing test to tell
Computers and Humans Apart
www.captcha.net
6
How Do We Identify Users Today?
  • IP address
  • Password (server-level basic auth, digest
    application-level)
  • Cookie
  • Referer

7
Enter Shibboleth
  • FAQ 1 Why is it called Shibboleth?
  • A Judges 125-6And the Gileadites took the
    fords of the Jordanwhen any of the fugitives of
    Ephraim said, Let me go over, the men of Gilead
    said to him, Then say Shibboleth, and he said
    Sibboleth, for he could not pronounce it right
    then they seized him and slew him at the fords of
    the Jordan.

8
Enter Shibboleth
  • Product of Internet2 development
  • Secure framework for one organization to
    transmit attributes about a web-browsing
    individual across security domains to another
    institution.
  • Only end-user requirement is a browser that
    supports cookies, redirection, and SSL.

9
Enter Shibboleth
Beware of all enterprises that require new
clothes. Thoreau
Same goes for learning new acronyms.
10
Shibboleth Vocabulary
  • Four main structures
  • Origin site with user directory information
  • Target site with restricted resource
  • Where Are You From (WAYF) service to let a
    target sites users select an appropriate origin
  • Federations groups of origins and targets with
    agreed-upon policies for authentication

11
Shibboleth Vocabulary
  • Origin components
  • User directory with necessary attributes
  • Attribute Authority (AA) manages attribute
    release policies (ARPs) for different targets
  • Handle Service (HS) manages temporary references
    (handles) to identify user sessions
  • Local sign-on system (SSO) performs check
    against user directory for a valid login

12
Shibboleth Vocabulary
  • Target components
  • Shib. Indexical Reference Establisher (SHIRE)
    consults the WAYF to get a handle to query
  • Shib. Attribute Requester (SHAR) contacts target
    Attribute Authority for needed attributes
  • Resource Manager (RM) passes unauthenticated
    requests to SHIRE, grants access to authenticated
    requests

13
A Shibboleth Login
14
A Shibboleth Login
15
A Shibboleth Login
16
A Shibboleth Login
17
A Shibboleth Login
18
Shib-Speak Translated
19
Federations
  • Group of mutually trusting institutions
  • Origins and targets
  • Common policies on attributes to request,
    certificate authorities to accept
  • Higher ed federations InQueue, InCommon

20
So You Want To Be An Origin
21
So You Want To Be An Origin
  • Step 1. Get everyone on board.
  • Step 2. Get a good user directory. (LDAP and
    msql supported out of the box.)
  • Step 98. Join a federation.
  • Step 99. Bake your sysadmins a batch of brownies
    and have them install software.

22
URLs of Note
  • http//shibboleth.internet2.edu/
  • http//inqueue.internet2.edu
Write a Comment
User Comments (0)
About PowerShow.com